SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Don't Miss: "Using Data Science to Secure Cloud Workloads." In this session, you will learn how and where data science is being applied in the security industry as well as Cylance's Threat Predictive Advantage, which is one of the many benefits of applying data science to Next-Gen AV products. http://www.sans.org/info/209810

--Mondelez Sues Insurance Company for Not Paying $100 Million NotPetya Claim

(January 10, 2019)

US food company Mondelez is suing insurance company Zurich, which refused to pay a $100 million claim for damages caused by the NotPetya malware. Court documents show that Mondelez systems were hit with NotPetya twice, and that the malware rendered 1,700 servers and 24,000 laptops unusable. The systems were permanently disabled creating high costs for Mondelez, but Zurich refused to pay say a liability exclusion for a hostile or warlike action by a government or sovereign power or people acting for them.

[Editor Comments]

[Pescatore] Cybersecurity insurance claims being denied because of pre-existing conditions (like missing patches that pre-date coverage initiation) or acts of war are not unusual. In fact, from what Ive seen, cybersecurity insurance having a positive ROI is unusual when you take into account premiums and deductibles vs. actual payouts. The fact that cybersecurity insurance only reduces risk by some fixed amount vs. actually transferring risk means that self-insurance is often going to be less expensive and one key point: the cost of avoiding the majority of breaches is usually less than a few years of cyberinsurance costs and the deductible for one incident.

[Murray] There are three things that we can do with risk. We can mitigate it, assume it, or assign it to others through insurance. For foreseeable and probable risk like attacks, mitigation is usually the most efficient. Insurance is usually reserved for residual risk after other measures, things with low rates but consequences so high as to represent a threat to the health of the business. Insurance is a means of spreading risk across time and others. However, insurance companies make money. Therefore, for most things it is not nearly efficient as mitigation.

A US District Judge in Boston has sentenced Martin Gottesfeld to 10 years and one month in prison for launching distributed denial-of-service (DDoS) attacks that against healthcare facilities, including Boston Childrens Hospital, in 2014. In August 2018, a federal jury found Gottesfeld guilty of conspiracy to damage protected computers and of damaging protected computers.

3) What obstacles are you facing with your vulnerability management program? Take the SANS 2019 Vulnerability Management Survey for a chance to win a $400 Amazon gift card | http://www.sans.org/info/209825

--FireEye: DNS Attacks That Targeted Organizations Around the World for Two Years May Have Ties to Iran

(January 9 & 10, 2019)

Researchers at FireEye say they have uncovered a series of DNS hijacking attacks that may be linked to Iran. The attacks occurred over the past two years and targeted mostly governments, telecommunications companies, and Internet infrastructure companies in North America, Europe, North Africa, and the Middle East.

Cisco has made fixes available for two flaws in its AsyncOS email security appliance tool. Both vulnerabilities could be exploited to create denial-of-service conditions. Cisco released 16 additional fixes for other security issues in its products.

On Tuesday, January 8, Microsoft released fixes for nearly 50 security issues, including seven rated as critical. The critical flaws could be exploited to execute code remotely. Affected products include Microsoft Edge, Windows 10, and Server and Chakra Core. In a related story, some of the updates included in Tuesdays release have reportedly bricked devices running Windows 7.

[Editor Comments]

[Neely] Pushing this update to Windows 7 systems in environments using Microsoft Key Management Service (KMS) need to check for negative interaction with the April 2018 KB971033 update resulting in Windows 7 installations no longer being reported as genuine. KB971033 should not be installed this environment. Backing it out and deleting the KMS/activation data will allow reactivation to succeed.

[Murray] The risk associated with the continued use of Windows 7 will continue to increase with time. Use should be restricted to only those applications that cannot be efficiently migrated to current systems. Compensating controls, including isolation from other sensitive systems and apps, may be indicated.

Starting July 9, 2019, Googles Chrome browser will expand its practice of filtering advertisements from sites that have displayed abusive ads. The standard is currently in effect in North American and Europe. This summer, the practice will take effect worldwide. Users will still have the final say about whether or not they want to see the ads on a given site.

[Editor Comments]

[Pescatore] The reality is that the fact that the Internet is free to use enables many forms of attack, like phishing and malvertising. High penetration of ad blocking driving more services requiring paid subscriptions could be a big jump forward for security and privacy -and consumers do seem to be willing to pay for more of both.

[Neely] This only filters items that dont meet the Better Ads Standards regarding abusive ad experiences. The filter can be toggled in chrome://settings/content/ads greyed out means the blocking is enabled. The expansion is co-timed with the Better Ads Standards being expanded to worldwide scope.

Kaspersky Lab appears to have provided the National Security Agency (NSA) with information that helped lead to the arrest of a former NSA security contractor Harold T. Martin III. Martin was arrested in 2016 and charged with the theft of a large amount of classified data.

[Editor Comments]

[Pescatore] There has still been no hard evidence released by the US Government against Kaspersky, but unfortunately, the act of contacting NSA with concerns about Martin does not in any way clear things up. We are still where we wereno evidence Kaspersky Lab takes orders from Russian intelligence, but no real way to prove they don't. Of course, outside the US you can substitute any US firm for Kaspersky and NSA for Russian intelligence and the same sentence holds.

[Neely] Martin was clever enough to extract terabytes of data from the NSA, but not clever enough to protect his identity when reaching out for disposition of the data. Kaspersky was able to track his Twitter handle back to his real identity by way of his dating and LinkedIn profiles. While this is a great example of Kaspersky reaching out to the NSA for the greater good, it is unlikely this will change their standing with the U.S. government as a whole.

Australias First National Real Estate group has acknowledged that a data security incident compromised information of some job applicants. The leak, which affected roughly 2,000 individuals, exposed CV and cover letter information. The incident appears to be related to a third-party online tool.

[Editor Comments]

[Neely] Not only do applicants need to use caution with what they include in their application submission, but employers need to verify the security practices of third-party services used to screen applicants, particularly those relating to background and medical screening.

[Murray] Employment applications contain the most sensitive personal data and are collected under conditions of asymmetric power. Applicants who do not provide any and all information requested are at a distinct disadvantage. Prospective employers owe a special duty to collect only that information essential to the hiring decision, to protect it as they would their own most sensitive data, and to destroy it after a decision has been made.

[Honan] For readers who are responsible for compliance with the EU General Data Protection Regulation (GDPR), this is a stark reminder that you need to ensure you have got assurances from any third party providers on how they protect data entrusted to you by your customers.

Read more in:

IT News: First National Real Estate has job applicant data exposed online

The US Supreme Court has declined to hear Fiat-Chryslers appeal of a class action lawsuit that was filed after researchers demonstrated that weak coding practices in a Jeeps entertainment software allowed hackers to take control of the vehicle. The plaintiffs in the case maintain that Fiat-Chrysler had known about the security issue for three years without fixing it and are seeking damages of US $50,000 per affected vehicle. Fiat-Chrysler maintains that the plaintiffs do not have grounds to sue as they were not directly affected by the vulnerability.

[Editor Comments]

[Murray] Courts have been slow to award damages unless the plaintiffs can show direct damage. Any damage here might be proportional to a loss in re-sale value but that would likely be measured in hundreds of dollars rather than tens of thousands.

Read more in:

The Register: Jeep hacking lawsuit shifts into gear for trial after US Supremes refuse to hit the brakes

The US Defense Advanced Research Project Agency (DARPA) is seeking proposals for systems that would protect data as they are being moved from air-gapped systems to connected systems. The solicitation seeks technology with physically provable guarantees to isolate high risk transactions.

[Editor Comments]

[Neely] Physical separation is one of the key mitigations for keeping classified data contained. The consequences of error, such as a data breach, can be extreme, so any solution will need significant vetting, verification, and testing, and understanding will be necessary before the risks will be accepted, and likely only for specific classifications and levels of data. Today, One Way Links (aka diodes) exist for automated transfer to unclassified systems today, but they are expensive, are geared towards specific file and data types/sizes, have limited throughput, and take a long time to be approved due the sensitive nature of these operation. While processing classified data on a non-isolated system has its appeals, it also presents a significant concentration of risk.

[Pescatore] Air gaps/data diodes have been around and in use in narrow use cases for many years now. The major barrier DARPA cites for their use is the long time it takes the Government to certify them for usewhich of course isnt addressed in a research program! Hard to see that applying the terribly flawed government product certification process to custom semiconductor designs for gaps will remove any barriers.

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.